Chap 9 - putting it together

Question 1

what is governance

Answer 1

align or link the organizations’ overall goals and objectives to the lower-level security and asset protection goals and objectives that security professionals help establish, operate and maintain

Question 2

what are policies

Answer 2

mandatory

are formally prepared, authoritatively issued directions or statements of intent that senior leadership provides to the organization

to be effective as directive, it must be explicitly linked to an enforcement mechanism

Question 3

what are procedures

Answer 3

mandatory

define the explicit, repeatable activities necessary to accomplish a specific task or set of task

Question 4

what are guidelines

Answer 4

non-mandatory

act as advisory information and can offer insights drawn from experience and observation

Question 5

what are standards

Answer 5

mandatory

cover a broad range of issues and ideas (NIST, ISO)

Question 6

what is the breadth and depth in administrative controls (steps)

Answer 6

1. Policies
2. standards
3. guidelines
4. procedures

Question 7

what is COBIT framework

Answer 7

way to manage and document enterprise IT and IT security functions

Question 8

what is ITIL

Answer 8

IT service set of best practices

Question 9

what is a security framework

Answer 9

establish a starting set of security requirements or data protection drivers for the workflow as a whole. the framework also establish the success criteria used to assess the in-use system and its controls for compliance and security assessment purposes

Question 10

what is a risk framework (ERM)

Answer 10

similar to security control frameworks, the security professional may also make use of dedicated risk management frameworks to optimize the organization’s response to risk

Question 11

role of forensic investigation tools

Answer 11

the tools of digital forensics are put into action moments after an incident or malfunction has been detected. these tools and processes are used to gather data, some of which may be used as evidence in a more formal investigation

Question 12

how to maintain integrity of an investigation

Answer 12

• respect ethical walls
• non-disclosure
• evidence handling
• respect rights of individuals and other parties
• communication with outside persons conducted through appropriate channels

Question 13

what are key steps in digital forensic investigation

Answer 13

• appoint an evidence custodian
• maintain a chain of custody
• use backups
• make copies of all original evidence

maintain the chain of evidence

Question 14

what are admissible evidence in court

Answer 14

admissibility: evidence that is acceptable to the court may be presented. must be:

• accurate
• comprehensible
• objective

Question 15

what are the 4 types of investigation

Answer 15

• administrative (internal)
• civil
• regulatory
• criminal

Question 16

what is a business impact analysis (BIA)

Answer 16

the BIA is the effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threat likely to affect the organization

BIA provides the foundation to determine the overall scope and extent of the BCDR plans

Question 17

3 key control parameters for BCDR

Answer 17

• maximum allowable downtime (MAD) = amount of downtime without causing significant/unacceptable harm to organization
• recovery time objective (RTO) = target time for recovery (less then MAD). BCDR strategy and plans must support achieving the desired RTO
• recovery point objective (RPO) = amount of data the organization can lose before unacceptable harm caused to organization. RPO is usually a storage amount (refer to data loss)

Question 18

what are the key parameters must establish for response activation

Answer 18

1. criteria for initiating the response action
2. personnel authorized to initiate BCDR action
3. information chain to provide the decision making authority with sufficient data

Question 19

what are the key participants in response team

Answer 19

• responders
• IT
• security
• legal
• human resources
• finance/accounting
• public relations/communications
• senior management / leadership

Question 20

why is assessment of loss critical

Answer 20

• criminal prosecution -> determine the damage
• civil actions -> determine the damage
• investors reporting
• informing regulators

Question 21

how can human factor of risk be limited

Answer 21

candidate screening & hiring process
1. detailed & reliable job description
2. checking candidate references
3. checking employment history
4. performing a background check
5. assessing a financial profile

Question 22

3 main employment agreements & policies

Answer 22

1. employee handbook
2. employee contract
3. NDA

Question 23

what are the various types of NDAs

Answer 23

• unilateral NDA
• bilateral NDA
• multilateral NDA
• non-compete agreement

Question 24

what are the main consideration when engaging vendor, consultant, contractors etc.

Answer 24

• contractual protections
• NDA and NCA
• distinct restricted account
• escort requirement
• distinguishing ID

Question 25

what are the categories of NIST Cyber Security Framework

Answer 25

• identify
• protect
• detect
• respond
• recover

Question 26

what are the 4 perspective to define “what is at risk”

Answer 26

• asset-based
• outcome-based and process-based
• vulnerability-based
• threat-based

Question 27

what is “Risk”

Answer 27

a possible event which can have a negative impact upon the organization

Question 28

what is hazard

Answer 28

a precondition of a system, workplace, environment that could cause a risk

Question 29

what is a vulnerability

Answer 29

an inherent weakness or flaw in a system or component

Question 30

what is a threat

Answer 30

human actor or group that makes the deliberate decision to exploit a vulnerability to cause harm

Question 31

what are the four choice when confronted to risk

Answer 31

1. mitigate
2. avoid
3. transfer
4. accept

Question 32

what can risk be mitigated

Answer 32

1. remediation measures
2. risk controls or security controls implemented

even after all measures implemented there is still a “RESIDUAL RISK”

Question 33

what is risk avoidance

Answer 33

cease operating some activities of the organization that are exposed to particular risk

Question 34

what is risk transfer

Answer 34

practice of paying another party to accept the risk (e.g., insurance)

Question 35

what is risk acceptance

Answer 35

it is the opposite of avoidance. decide to conduct activities despite the risk, because the impact or likelihood is negligible

Question 36

what are the 3 meanings of risk exposure

Answer 36

1. exposure window measures over time the likelihood or probability of occurance of a risk event
2. risk exposure factor (EF) is an estimated fraction of an asset’s or outcome value to the organization that is reduced y a single occurrence of a risk event
3. exposure estimation is a description of how certain risks are categorically much lower or higher than others for given organization

Question 37

what are both type of risk assessment

Answer 37

1. qualitative = giving relative ranking (e.g., High, low)
2. quantitative = numeric value to probability & impact

Question 38

when to use qualitative assessment

Answer 38

• newness
• uniqueness
• time limitation
• no reliable measuring method

Question 39

when to use a quantitative approach

Answer 39

• business process
• measurement techniques - precise and reliable
• experience with process and data quantity

Question 40

risk assessment method (math)

Answer 40

annual loss expectancy (ALE) = SLE x ARO

ARO = annual rate occurrence = number of times given impact is expected to happen

SLE = Single Loss Expectancy = expected impact related to risk

SLE = AV x EF

AV = asset value
EF = exposure factor = fraction from 0-1 that represent the amount of damage to the asset (0 no damage / 1 fully damage)

Question 41

what are the elements of STRIDE (threat modeling)

Answer 41

• spoofing ID
• tampering with data
• repudiation
• information disclosure
• DoS
• elevation of privilege

Question 42

what are the 3 applicable types of controls

Answer 42

1. administrative
2. logical/technological
3. physical

Question 43

what are the categories of security controls

Answer 43

1. directive / administrative
2. deterrent
3. preventive
4. compensating
5. detective
6. corrective
7. recovery

Question 44

what are the various technics to present awareness & training

Answer 44

1. computing-based training (CBT)
2. live in-person training
3. online synchronous training
4. regular communications
5. reward mechanism
6. gamification

Question 45

What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.

Answer 45

Conduct a cost/benefit analysis.

The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).

Question 46

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

Answer 46

Combination of quantitative and qualitative risk assessment

Question 47

Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Answer 47

B. Implementing RAID

RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action.

Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Question 48

Which one of the following is not normally included in business continuity plan documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility

Answer 48

A. Statement of accounts

Business continuity plan documentation normally includes

the continuity planning goals,
a statement of importance,
statement of priorities,
statement of organizational responsibility,
statement of urgency and timing,
risk assessment & risk acceptance & mitigation docs,
a vital records program, emergency response guidelines,
and documentation for maintaining and testing the plan.

Question 49

Which one of the following is not normally considered a business continuity task?
A. Business impact assessment
B. Emergency response guidelines
C. Electronic vaulting
D. Vital records program

Answer 49

C. Electronic vaulting

Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.

Question 50

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?
A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan

Answer 50

D. Documentation of the plan

The project scope and planning phase includes four actions:
1. a structured analysis of the organization,
2. the creation of a BCP team,
3. an assessment of available resources,
4. an analysis of the legal and regulatory landscape.

Question 51

Which one of the following stakeholders is not typically included on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments

Answer 51

CEO

While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally

Question 52

COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
A. Business owners
B. Data processors
C. Data owners
D. Data stewards

Answer 52

A. Business owners

Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive.

Question 53

Harold is assessing the susceptibility of his environment to hardware failures and would like to identify the expected lifetime of a piece of hardware. What measure should he use for this?

Answer 53

MTTF

The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails.

Question 54

Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?
A. Auditing and logging is enabled.
B. RBAC is used for specific operations.
C. Data type and format checks are enabled.
D. User input is tested against a whitelist.

Answer 54

B. RBAC is used for specific operations.

Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to.

Question 55

Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
A. Information disclosure
B. Denial of service
C. Tampering
D. Repudiation

Answer 55

D. Repudiation

Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue.